ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

As attacks surface, Sun ships sudden Java patch

By | April 15, 2010, 11:30am PDT

Summary: In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

[ SEE: Researcher warns of dangerous Java flaw ]

After applying the fix on a Windows machine, Ormandy’s proof-of-concept demo did not work.  Instead of opening the calculator application, I got an error message concerning the Java Virtual Machine Launcher:

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.

Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin.

Here is a link to download the patch from Sun’s Web site.

[ SEE: Java zero-day flaw under active attack ]

The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities.  In this case, Google’s Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response.

It’s incomprehensible that a software vendor like Sun, now under Oracle’s wings, could have misdiagnosed this vulnerability when Ormandy originally reported it.  It was clear, from the inception, that this was a “critical” issue that was found by several different hackers.  On Twitter, Ormandy said he had no information that the issue was already in the wild before he wielded the full-disclosure stick. However, he maintains “it was just too trivial for that not to be the case.”

[ SEE: Responsible disclosure, the Microsoft way ]

To this date, Oracle Sun has not publicly commented or mentioned the public disclosure of an issue that’s being actively exploited.

Speaking of irresponsible, here’s what I saw when I applied the new Java update this morning.  Yes, checked by default.  Sigh.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Sun Microsystems Inc., Ryan Naraine, Attack, Programming Languages, Java, Security, Software Development, Software/Web Development

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
53
Comments
Add Your Opinion

Join the conversation!

Just In

RE: As attacks surface, Sun ships sudden Java patch
efsane Updated - 9th Apr 2011
Great!! ! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
They drag their heels* to the plate
klumper 15th Apr 2010
then greet users and clients with pre-checked pitches for Bing or Google add-on crud. You gotta love it.

* Heels in more ways than one.
0 Votes
+ -
Yay, Symantec!
andy88488 15th Apr 2010
I just tried the Test Page (without patching Java). The first time I tried it, it didn't work. Now it tried to do something, but it was blocked by Symantec Anti-virus. Score one for the good guys!
0 Votes
+ -
YEA AVG
GAXXIS 16th Apr 2010
AVG caught it while the page was loading and blocked the site

Gaxxis
0 Votes
+ -
Hmm, Symantec
mzeller@... 16th Apr 2010
Our Symantic Endpoint Protection flags it as a virus, but still lets it run. SEP users keep an eye out.
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
KOS-MOS 15th Apr 2010
Yeah, just what we all need, yet another toolbar to make
our speedy machines run like our beloved old IBM PC XT
did...slow.

Still, I'm happy to see the patch hit. Beats Adobe's
record
0 Votes
+ -
I can't find the link to down the fix
waynearcelectcom 15th Apr 2010
where's the link for the new or fix
0 Votes
+ -
Don't be tricked about the Java version number.
Smart_Neuron Updated - 15th Apr 2010
Hi -

Heads up!

Sun has a small (albeit important) correction to make.

Once you use the Java Control Panel to update, it says Version 20. However, when you install it and do "About," etc., It says Version 19.

In Add/Remove Programs it is listed as Version 20.

Small details do count.
0 Votes
+ -
rushed...
erik.soderquist 16th Apr 2010
i think version number display mistakes are a sign of a really rushed update patch...
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
Louis Ross Focke 15th Apr 2010
Way to go Oracle! not Sun anymore but still. Just the other day Oracle said that there was no rush and that it would be put in the normal upgrade cycle which wouldn't come out until July! I was beginning to think it would be like MS and their fix for the browser glitch that showed up at the convention in Canada just what, a month ago? Glad to see that they stepped up and corrected it now.

lrfocke
0 Votes
+ -
Bing toolbar on Java update page
mikew_z 15th Apr 2010
And this is the same Sun that reached a settlement with M/s regarding the bastardised M/s version of Java ...?!
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
ts1946 15th Apr 2010
I am still running Java jre1.5.0_11 Should I update to the latest version or is the old one safe?
0 Votes
+ -
test it
erik.soderquist 16th Apr 2010
the article provides a "safe" demo of the vulnerability, it launches the calculator application.

the link is:
http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html
0 Votes
+ -
AVG is keeping me safe
Kualinar 16th Apr 2010
AVG blocks that page.
AV devlopers are way faster to cover those vulnerabilities that the software makers.
0 Votes
+ -
Avast caught it
Alzie Updated - 16th Apr 2010
Avast caught it. I have not installed the patch yet.
0 Votes
+ -
Yep..
JCitizen Updated - 16th Apr 2010
I uninstalled my 32bit java, but the new 64bit java for IE 8 was still insecure according to Secunia PSI. Oh Well! Maybe the Vista patch is late!

Avast Pro v.5 definitely nailed that one!
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
xsssx 15th Apr 2010
What do you think?

What I think is that this entire article and fuss is
all ado about nada. From what I have read in
earlier articles and posts this is all BS, designed
especially for the super tech types to weigh-in
and try to prove how much they think they
know.

This is all baloney. If it wasn't then every
swinging dick that is using Java on a windows
machine would be getting their ass kicked, and
it would be media central because every
reporter on the planet would be getting
affected.

In other words, STFU.
0 Votes
+ -
?????????????????????
erik.soderquist 16th Apr 2010
have you actually read about this or tested it yourself?

the demo in the article proves it can launch an arbitrary executable on any vulnerable machine just by visiting the page. that alone is a critical security failure. for my own testing in a private environment, i confirmed that pretty much anything is open, including a silent background download and installation of whatever program i chose, completely without prompting of any kind, just by visiting the page.
0 Votes
+ -
what does bing has to do with java?
Linux Geek 15th Apr 2010
I guess it was a M$ vulnerability after all!
0 Votes
+ -
great...
Ceridan 15th Apr 2010
... is there a limit to your cultist behaviour?


Sun... sorry Oracle decided to include Bing search bar(and like every other crapware it's checked by default...) instead of the google bar(which was also checked by default like every other crapware)...


It was a Java vulnerability... not a MS vulnerability... they just want to try to install crapware at the same time...
0 Votes
+ -
crapware
avoidz 15th Apr 2010
It's one of the worst plagues of computer software in recent times, the inclusion of these checked-by-default toolbars during installation.
0 Votes
+ -
Not crapware Legalized spam minus the email box
dougogd@... 15th Apr 2010
What is spam? Emails that contain things that you don't want or need and don't want to deal with every day. What is crap ware? items installed on your computer that you don't want or need and don't want to have to deal with everyday but are forced to by short sited lawmakers.This stuff should be as illegal as spam. The only difference is that it doesn't go to your email.
0 Votes
+ -
crapware = PUP
keithnorman2 16th Apr 2010
These tool bars need to be considered the same as any other PUP.
The AVG (even with Yahoo de-seleted) complete trashed the web browsing experiance for every other person know that put it in by accident.
When the cause more problems then they try to resolve, do they not expect it to turn potential customers away from installing their other (better) products?
0 Votes
+ -
You "hit the nail on the head"
lehnerus2000 17th Apr 2010
Politicians used to get spam (just like everyone else), so they decided to act on all the public complaints.

Politicians use taxpayer funded IT support staff, to set-up their computers, so they don't see these annoying toolbars, thus they haven't been declared illegal.

"I've never seen one, so there is no problem."

lehnerus2000
0 Votes
+ -
hmmm...
PittSteeler 16th Apr 2010
I was given the "standard" option of installing the Yahoo toolbar.
0 Votes
+ -
The real question, Why did you only NOW see bing inclusion?
TG2 16th Apr 2010
The real question would be why did you only *now* see that bing crap was included? Its been in there since before 6.18 ... and maybe as far back as 6.10.

Additionally I would wonder what ever finally happened with Java's idioticy for heaping version on top of version on top of version..

I mean that when I first found I had 700 MEGS in 6 versions of f**king java installed I went balistic.. and with their BS of "well maybe you need version X for a specific java app" ... and in that case.. then why doesn't the *then current* installer ask if it can remove the old or if it must be left for compatibility? ... OR why not recommend that java writers include a "required" version registration entry if they have known compatibilty issues, so that the INSTALLER can look for those versions requiring a specific java version thereby making unneccessary versions removable...?

Java ... one of those things you can't live with or without it seems..
0 Votes
+ -
.NET
erik.soderquist 16th Apr 2010
this is much the same as .NET

it is an attempt to get around 'dll hell'

and you can't always know what version a new website will require.

however, i strongly agree that we should have to option to pick and choose which version(s) to retain on our systems rather than getting a silent layering of new versions with no clean up.

another question this spawns: what if the exploit page sets the exploitable versions as the 'required' version? with the older version retained for compatibility, does that also retain the vulnerabilities 'for compatibility'?
0 Votes
+ -
I just wished someone would...
JCitizen 16th Apr 2010
develop a java alternative, I'm sick of patching the leaky crap!

Got rid of Adobe flash and reader, now I'm getting spoiled! I'd get rid of MS too, but with my mission - it would just take too many man hours to switch all the capability over to Linux.
0 Votes
+ -
Thank you
TheTess 15th Apr 2010
Thank you for the heads up on the update. I was wondering when this was going to come out.

But I don't understand how you go the Bing Toolbar page? All I did was go to my Java icon in Windows Control Panel and updated mine without any problems or Bing popups.

Anyways, thanks again wink
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
dancac 15th Apr 2010
Newbie question, sorta...is a system with updates 3, 5,
7, etc. also installed along with update 19/20 still
vulnerable? Thanks.
0 Votes
+ -
RE:
Pure_Guava 16th Apr 2010
Not necessarily by default, as the browsers on the machine will use the most recent. But I wouldn't take a chance that someone won't figure out how to have the machine launch the older, vulnerable version.
Unless you have an app that specifically needs the older versions, uninstall them all and just leave the latest. Sun didn't start having the new updates replace the old ones until v6u11.
0 Votes
+ -
Not that I use the Bing toolbar, as I use
Snooki_smoosh_smoosh 15th Apr 2010
Google, but Adobe, and Java have been bundled with one toolbar or another, since for as long as I can recall, and yes they are default checks that have to be cleared, so why bother to bring it up?
0 Votes
+ -
why bother to bring it up?
jjsteich@... 16th Apr 2010
because maybe at some point Sun will listen & make it opt-in, not opt-out. because it is infuriating. because it is unnecessary!
0 Votes
+ -
A bit confused...
jbs411 15th Apr 2010
You say that 1.6.0 Update 20 fixes the problem but I still have webstart disabled:

1) Was java patched at 1.6.0 update 19
2) MS Update applies security patches that disable web start.
3) Installed java 1.6.0 Update 20

I still have disable webstart. Are you saying that update 20 enables java webstart again?
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
amoore@... 16th Apr 2010
They have been bundling the bing toolbar for months with it always checked as the default.
0 Votes
+ -
Toolbar-free Java install
Pure_Guava 16th Apr 2010
Go to http://java.sun.com/javase/downloads/index.jsp instead. This is the install that should be used for pushing it out across a network as well.
0 Votes
+ -
What toolbar offer? ...
Railroad Buff 16th Apr 2010
There was no toolbar offer here - I went via the Java Control Panel, Update tab, Update Now button, and got no toolbar. I have both IE8 and Firefox, with Firefox being the default. That might play a role.
0 Votes
+ -
Bing, Yahoo toolbars will install, anyway
still not nice 16th Apr 2010
Even if you uncheck the box.

I found out through jv16PowerTools that it was there. Inactive of course, but still installed. Revo uninstaller will probably detect it too.

Needless to say, it is off my machine. I have to do this routinely everytime Java does an update.
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
cjstaples@... 16th Apr 2010
Yes, Java distro includes the Bing toolbar. Proving once again that "free" software... isn't.
0 Votes
+ -
Sun?
statuskwo5 16th Apr 2010
Don't you mean Oracle? Last time I checked Sun was kaput.
0 Votes
+ -
maybe
erik.soderquist 16th Apr 2010
i believe Sun still exists, but now as a subsidiary of Oracle rather than as an independent entity. i would have to look it up again to be certain
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
mcswan454 Updated - 16th Apr 2010
Spent a good bit of time reading through these replies... Here's a thought: THINK BEFORE clicking on a web URL?

We're going to have vulnerabilities. It wasn't until crackers began doing their thing that we developed a whole security industry! How many of you can claim to have worked on a DEC (remember them?) pdp-8? Or older? I'm only 46, and I have done it. (Documented proof avail. upon request)

OK. So how do you handle computer security? Be SMARTER than the box you sit in front of. Crackers give security guys a job. A job that DID NOT EXIST before then. You can certify as an ETHICAL HACKER for crying out loud!

Regardless of what OS, Browser, App you use, someone -- even as I write this -- is trying to make your life miserable, and someone else, is trying to prevent it.

We're PEOPLE. We're HUMAN! We CANNOT write perfect code, we CANNOT account for vulnerabilities in what we create. There's ALWAYS a better hacker/cracker than YOU.

So, given that, let's be smarter than the machine. Or we can keep reading this stuff, and (for some of you in the tech field who cannot at least spell) we'll keep having these conversations until Hell freezes over.

M.
0 Votes
+ -
missed a piece
erik.soderquist 16th Apr 2010
i fear you've missed at least part of the issue...

the pages that contain these drive-by attacks are not always some server out in Russia that only a fool would go to. Microsoft's own servers have been compromised before (remember Code Red?). to a Windows machine, Windows Update should be the holy of holies as far as being safe is concerned.

if that had been an infection with a drive-by payload, everyone who went to Windows Update would have been infected...

being vigilant about your own security updates is also important, and 'smart browsing' only goes so far, especially when sites with a reputation of being safe can be compromised.
0 Votes
+ -
Let me go here...
mcswan454 Updated - 16th Apr 2010
I trust NOTHING on the web; no site EVER. And yes, Of course I remember Code Red.

Ever since the NSF stopped regulating what could be placed on the web here in the US (the evolution of the .com domain), I have been suspicious. I use MS Windows, Linux, and Mac. Do I TRUST? No.

So I have the antivirus, anti-whatevers on my computer(s).

And, hey, I gave up hacking/cracking long ago. Once you're caught (and you will be) some very INTERESTED people are looking at you also -- worldwide -- you're done. 15 minutes of fame. I prefer to remain safely anonymous.

Whom was programming "drive-by" attacks when you could only post on the web, from .edu or .net, or .org for information's sake? Maybe some script-kiddie who didn't like what you had to say.... And as I recall, "drive-by" is a recent term. Usually, we'd scramble your page.

Malware back then depended mostly on you activating a file, usually given to you on a floppy. Sneaker-net file sharing of the day.

Then, it moved to email, no? But people in general wised up to that. Articles have been written on the value of anti-malware as no longer being needed. Ref: http://www.itsecurity.com/features/does-antivirus-matter-090407/

BIG MONEY is involved with the web now, perhaps more than the "brick and mortars" ever dreamed so....

Aside: I wonder if the crackers ever considered putting their talents to good use. If they can exploit it, they KNOW how to fix it. The choice for them is simple: Do I wish to get paid some salary for this, or should I destroy some lives first, perhaps making a large sum of money for myself along the way UNTIL I get caught?

Smart browsing, smart security is ALL I can do. It only goes so far, but... I also understand there are people, whom, while I am at work, seek to undermine not just myself (wish I were that important), but society as a whole. Or convince me that these exploiters are doing this for the betterment of mankind?

I've NEVER met anyone who stole my identity to improve it.

'Nuff said.
0 Votes
+ -
/me bows and apologizes
erik.soderquist Updated - 16th Apr 2010
i had the impression you were indicating that safe browsing was the only thing a user had to do to avoid infection, i apologize for my misunderstanding

however, i do have to point out one potential error, and i'll use an old analogy to illustrate it

in the days of swords and armor, of necessity, sometimes even small children were taught how to quickly find and exploit the chinks in a soldier's armor. that doesn't by any stretch mean the child could take the suit of armor to the smithy and eliminate the chinks in the armor.

i can take a hammer and smash a stained glass window, that doesn't mean i can make the stained glass window.

now, some of the weakness in software are fairly easily fixed. in this case, sanitizing the input before applying it, or what sun seems to have done, simply removing the segment, is an easy fix.

in cases like Code Red, yes, they broke it, doesn't necessarily mean they knew how to actually fix it. some do, some don't. considering that the first version of Code Red had a trivially flawed random sequence generator, the original author might have made a clumsy mistake, or might have been a poor programmer and therefore unable to actually fix the flaw being exploited even with access to the source code.

[edit to correct spelling]
0 Votes
+ -
RE: me bows and apologizes
mcswan454 16th Apr 2010
I concur. And I apologize if I was on a soapbox. It just sometimes appears to me that I spend more time thinking emotionally to these issues, than remembering as you did, certain facts.

M.

BTW: The spelling thing was in jest. I am human too.
0 Votes
+ -
Toolbar issue
jacobus57 16th Apr 2010
The dubious toolbar offers are random, browser and update mode independent, can be either Yahoo or Bing, and are--alas--always opt-out. Anyone who has installed Java or an update more than once, especially on multiple boxes, should have noticed this. If you have NOT noticed it, you aren't paying attention.
0 Votes
+ -
Toolbar issue
jjsteich@... 16th Apr 2010
I update 8 creaky XP boxes weekly, and with (compared to most of you) barely passable skills. These opt-out check boxes drive me nuts, especially since I have to block Bing in our current children's computer lab setup. While I can make safe search lockable in Google, Bing allows every user to "agree" that they are old enough to view adult material. Imagine MY surprise!

So, the fact that I have to uncheck these boxes every time I update Java--which seems to be weekly lately--makes me about to scream at the SUN.
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
fdhfgjg 16th Apr 2010
welcome come to http://www.loveshopping.us

The website wholesale for many kinds of fashion shoes, like the nike,jordan,prada, also including the jeans,shirts,bags,hat and the decorations. All the products are free shipping, and the the price is competitive, and also can accept the paypal payment.,after the payment, can ship within short time.

http://www.loveshopping.us
free shipping

competitive price

any size available

accept the paypal

jordan shoes $32

nike shox $32

http://www.loveshopping.us
Christan Audigier bikini $23

Ed Hardy Bikini $23

Smful short_t-shirt_woman $15

ed hardy short_tank_woman $16

Sandal $32

christian louboutin $80

Sunglass $15

COACH_Necklace $27

handbag $33

AF tank woman $17

puma slipper woman $30
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
ts1946 16th Apr 2010
Thanks.. My Norton antivirus caught the threat and removed it.
0 Votes
+ -
Some folks having trouble installing the update
dl@... 16th Apr 2010
Hard to believe but I've heard from three people that they've been unable to install the Java update. Whether or not this is a serious problem, I know not because all three of these folks are rather computer illiterate and cannot follow even step by step instructions. Very strange.
0 Votes
+ -
RE: As attacks surface, Sun ships sudden Java patch
efsane Updated - 9th Apr 2011
Great!! ! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix